Secrets Management: HashiCorp Vault vs Infisical vs Doppler
Compare HashiCorp Vault, Infisical, and Doppler for secrets management. Self-hosted vs cloud, developer experience, Kubernetes integration, and rotation...
Why Secrets Management Matters
If your secrets are in .env files committed to Git, environment variables on a shared server, or a shared 1Password vault, you have a secrets management problem. Secrets (API keys, database passwords, TLS certificates) need to be:
Encryption transforms readable plaintext into unreadable ciphertext, reversible only with the correct key.
- Centralized: One source of truth, not scattered across servers and repos
- Encrypted: At rest and in transit
- Audited: Every access logged with who, what, when
- Rotatable: Change a secret without redeploying services
- Access-controlled: Each service gets only the secrets it needs
HashiCorp Vault: The Enterprise Standard
Vault is the most feature-rich secrets management tool. It supports secret engines (KV, databases, PKI, SSH, cloud IAM), dynamic secrets, and encryption-as-a-service.
# Start Vault in dev mode (for learning)
vault server -dev
# Store a secret
vault kv put secret/myapp/database \
username=dbadmin \
password=supersecret \
host=postgres.internal
# Read a secret
vault kv get secret/myapp/database
# Dynamic database credentials (auto-rotated)
vault write database/config/postgres \
plugin_name=postgresql-database-plugin \
connection_url="postgresql://{{username}}:{{password}}@postgres:5432/app" \
allowed_roles="readonly,readwrite" \
username="vault" \
password="vault-password"
vault write database/roles/readonly \
db_name=postgres \
creation_statements="CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; GRANT SELECT ON ALL TABLES IN SCHEMA public TO \"{{name}}\";" \
default_ttl="1h" \
max_ttl="24h"
# Get dynamic credentials (new user created, auto-expires)
vault read database/creds/readonly
# username: v-token-readonly-abc123
# password: A1B2C3D4E5
# ttl: 1h
Vault with Kubernetes:
# Vault Agent injector - automatically injects secrets into pods
apiVersion: apps/v1
kind: Deployment
metadata:
name: my-app
spec:
template:
metadata:
annotations:
vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/agent-inject-secret-db: "secret/data/myapp/database"
vault.hashicorp.com/agent-inject-template-db: |
{{- with secret "secret/data/myapp/database" -}}
DB_HOST={{ .Data.data.host }}
DB_USER={{ .Data.data.username }}
DB_PASS={{ .Data.data.password }}
{{- end }}
vault.hashicorp.com/role: "myapp"
spec:
containers:
- name: app
image: my-app:latest
command: ["sh", "-c", "source /vault/secrets/db && node server.js"]
Get more insights on Security
Join 2,000+ engineers who get our weekly deep-dives. No spam, unsubscribe anytime.
Infisical: The Developer-Friendly Alternative
Infisical is an open-source secrets management platform designed for developer experience. It has a clean UI, native integrations, and is much simpler to operate than Vault.
At TechSaaS, we run Infisical at secrets.techsaas.cloud for our own secrets management.
# Install Infisical CLI
curl -1sLf https://dl.cloudsmith.io/public/infisical/infisical-cli/setup.deb.sh | sudo bash
sudo apt install infisical
# Login
infisical login
# Pull secrets into your environment
infisical run -- docker compose up -d
# Pull secrets for a specific environment
infisical export --env=production --format=dotenv > .env
# Inject secrets into any command
infisical run --env=production -- npm start
Infisical with Docker Compose:
# docker-compose.yml
services:
my-app:
image: my-app:latest
environment:
INFISICAL_TOKEN: "st.xxxx.yyyy"
command: >
sh -c "infisical run --env=production -- node server.js"
Infisical secret referencing — reference secrets across projects:
# In Infisical dashboard
DB_HOST = postgres.internal
DB_PORT = 5432
DB_NAME = myapp
DB_URL = postgresql://admin:password@{DB_HOST}:{DB_PORT}/{DB_NAME}
Defense in depth: multiple security layers protect your infrastructure from threats.
Doppler: The Cloud-Native Option
Doppler is a cloud-hosted secrets management platform. No self-hosting, no infrastructure to manage — just a clean API and CLI.
# Install Doppler CLI
curl -sLf https://cli.doppler.com/install.sh | sh
# Setup project
doppler setup
# Run with secrets injected
doppler run -- node server.js
# Fetch specific secret
doppler secrets get DATABASE_URL --plain
// Doppler SDK for dynamic secrets
import { DopplerSDK } from '@doppler/node-sdk';
const doppler = new DopplerSDK({ accessToken: process.env.DOPPLER_TOKEN });
const secrets = await doppler.secrets.list({ project: 'myapp', config: 'production' });
// Access secrets
const dbUrl = secrets.find(s => s.name === 'DATABASE_URL').value.computed;
Comparison
| Feature | Vault | Infisical | Doppler |
|---|---|---|---|
| Self-hosted | Yes (complex) | Yes (simple) | No (cloud only) |
| Open source | Yes (BSL license) | Yes (MIT) | No |
| Dynamic secrets | Yes (databases, cloud IAM, PKI) | No | No |
| Secret rotation | Automatic (lease-based) | Manual / webhooks | Manual / webhooks |
| Encryption-as-service | Yes (Transit engine) | No | No |
| PKI / certificates | Yes | No | No |
| K8s integration | Agent injector, CSI | Operator, CSI | Operator |
| Docker integration | Agent sidecar | CLI, SDK | CLI, SDK |
| UI quality | Basic | Excellent | Excellent |
| CLI experience | Good | Excellent | Excellent |
| Learning curve | Steep | Moderate | Easy |
| Setup time | Hours/days | 30 minutes | 10 minutes |
| HA deployment | Complex (Raft, Consul) | PostgreSQL + Redis | Managed |
| Access control | Policies (HCL) | RBAC (UI) | RBAC (UI) |
| Audit logging | Detailed | Yes | Yes |
| Cost (self-hosted) | Free (BSL) | Free (MIT) | N/A |
| Cost (cloud) | HCP Vault from $0.03/secret | Free tier + paid | $18/month/user |
| Secret versioning | Yes | Yes | Yes |
When to Choose Each
Choose Vault when:
Free Resource
Infrastructure Security Audit Template
The exact audit template we use with clients: 60+ checks across network, identity, secrets management, and compliance.
- You need dynamic secrets (auto-rotating database credentials)
- You need PKI / certificate management
- You need encryption-as-a-service
- You have a dedicated security or platform team
- You run Kubernetes and want the mature Agent Injector
Choose Infisical when:
- Developer experience is the priority
- You want to self-host but keep it simple
- Your team is small-to-medium
- You need quick setup (under 30 minutes)
- You want an open-source MIT-licensed solution
Choose Doppler when:
- You do not want to manage any infrastructure
- Your team is entirely cloud-native
- You want the easiest onboarding experience
- Budget allows per-user pricing
Zero Trust architecture: every request is verified through identity, policy, and access proxy layers.
Secret Rotation Strategy
Regardless of tool, implement a rotation strategy:
Critical secrets (DB passwords, API keys): Rotate every 30 days
Service tokens: Rotate every 90 days
TLS certificates: Auto-renew at 30 days before expiry
Personal access tokens: Rotate every 90 days, revoke on offboarding
At TechSaaS, we use Infisical for our self-hosted secrets management. It runs as a single Docker container with PostgreSQL and Redis (which we already have), and the UI makes it easy for our team to manage secrets across environments. For clients with advanced needs like dynamic database credentials or PKI, we deploy Vault with a managed HA configuration.
Related Service
Security & Compliance
Zero-trust architecture, compliance automation, and incident response planning.
Need help with security?
TechSaaS provides expert consulting and managed services for cloud infrastructure, DevOps, and AI/ML operations.
We Will Build You a Demo Site — For Free
Like it? Pay us. Do not like it? Walk away, zero complaints. You will spend way less than hiring developers or any agency.
No spam. No contracts. Just a free demo.